Description
SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.
Published: 2026-05-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SOGo before 5.12.7, when PostgreSQL is used, fails to properly sanitise user input in certain components of its web interface, which allows an attacker to inject arbitrary SQL statements. This flaw can enable unauthorized manipulation of database queries, potentially exposing, modifying, or destroying data stored in the PostgreSQL backend. The vulnerability is a classic example of a CWE‑89 flaw.

Affected Systems

Alinto SOGo, any version prior to 5.12.7 that relies on PostgreSQL for data storage is affected. Unauthorized access could be achieved through the public web interface or API that interacts with the database.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity potential for impact. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, so the current exploit probability is uncertain. The likely attack vector is remote, via the web interface or API when PostgreSQL is the backend database, enabling an attacker to craft malicious requests that bypass normal input validation.

Generated by OpenCVE AI on May 14, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Alinto SOGo to version 5.12.7 or later, which includes the official SQL injection fix.
  • If an upgrade cannot be performed immediately, restrict access to the SOGo web interface to trusted IP addresses and enforce strict authentication to limit exposure.
  • Limit the database user's privileges to the minimum necessary for SOGo operation and monitor database activity for suspicious queries.

Generated by OpenCVE AI on May 14, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 04:30:00 +0000

Type Values Removed Values Added
Title SOGo Webmail Server SQL Injection via PostgreSQL

Thu, 14 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.
First Time appeared Alinto
Alinto sogo
Weaknesses CWE-89
CPEs cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*
Vendors & Products Alinto
Alinto sogo
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Alinto Sogo
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T13:54:20.100Z

Reserved: 2026-05-14T03:10:31.633Z

Link: CVE-2026-46445

cve-icon Vulnrichment

Updated: 2026-05-14T13:54:16.436Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T04:17:03.193

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-46445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T06:00:11Z

Weaknesses